As the EU works to reform its data protection rules, it is concurrently negotiating various high-profile trade agreements such as the Transatlantic Trade and Investment Partnership (TTIP) and the Trade in Services Agreement (TiSA). One of the most trending topics in both the EU data protection reform and the trade agenda are so-called “data flows”.

On the economic side of the issue, the information and communications technology (ICT) industry vehemently argues for the significance of data flows in promoting economic prosperity, consequently viewing divergent data protection standards among trading partners as a form of protectionism. This is the position of, for instance, IBM with regard to the TTIP negotiations, as revealed by a document obtained by Corporate Europe Observatory, an NGO seeking to expose effects of corporate lobbying on EU policy making, through a freedom of information (FOIA) request. On transatlantic digital issues, IBM stresses a “particular interest in a provision that ensures free data flows”. Moreover, this view is not exclusive to the corporate domain, as another document obtained reveals that in the context of the High-Level Transatlantic Summit, the chief economic strategist of think tank Progressive Policy Institute argued for the value of data as an economic stimulus, stressing the dangers of an overly strict regulation regime.

However, these assessments disregard the value of data protection in inducing trust and attracting consumers. In fact, data protection is not an economic burden, but a business opportunity. This view is confirmed by the European Parliament International Trade Committee’s (INTA’s) draft Report on TiSA, which states that “data protection is not an economic burden, but a source of economic growth”. Furthermore, this position is supported by the positions of some companies, which do not view data flows as a priority in trade negotiations. Another document obtained via a FOIA request signals that in the context of transatlantic e-commerce, a company like eBay relies on data transfers on the basis of binding corporate rules recognised under the current and planned EU data protection legal frameworks.

It must be recalled that while international data transfers are possible, they need to comply with EU law. By default, the Directive 95/46 prohibits Member States from transferring data to a third country, unless the third country ensures an adequate level of protection or satisfies exceptions to the adequacy requirement under Article 26 of Directive 95/46. The rules on data transfers must be viewed in light of the ruling of the European Court of Justice (CJEU) in the Schrems v Data Protection Commissioner case, which, among other things, found that data protection is a fundamental right whose level of protection must be “essentially equivalent” to that guaranteed within the EU.

The Court’s decision acts as a reminder that, amid talk of protectionism, trade barriers and economic burdens, data protection remains a fundamental right recognised under the Charter of Fundamental Rights of the European Union.